tracyprier
asked on
Not seeing file/folder delete audit results in Security event log
Hi all.
I have enabled auditing for our main shared folder (and its subfolders) to log success events on file or folder deletion however when I check the security log in event viewer it is not reporting any of these even over the last couple of months and there should be a good few of them by now.
Auditing was set as principal: everyone, special permissions of: delete and delete subfolders and files.
Appreciate any help with this
Tracy
I have enabled auditing for our main shared folder (and its subfolders) to log success events on file or folder deletion however when I check the security log in event viewer it is not reporting any of these even over the last couple of months and there should be a good few of them by now.
Auditing was set as principal: everyone, special permissions of: delete and delete subfolders and files.
Appreciate any help with this
Tracy
Auditing setup is two-fold, one half at the folder, the other half at secpol.msc ->local policies auditing policy - audit object access.
Need to search for event such as 4660 - An object was deleted or 4663 - An attempt was made to access an object.
Audit events are only generated for objects that have configured system access control lists (SACLs), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.also probably you already may have run the command gpresult /v >C:\gpresult.txt to see the result of group policy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I wonder if anything in my comment was hard to understand.
ASKER
Sorrry about that, my bad :(
Am also thinking whether our answers are missing any thing or lacking as I see all referring to auditing.